• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
someclue

About Blank ....gonna scream

15 posts in this topic

I have run all the programmes from reading the board, adaware, cwsshredder etc etc, i have read the other posts and there fixes. I have tried following their suggestions, have downloaded reglite, I have tried to paste, it wouldnt take.I even posted to this earlier and no one helped me, I am again enclosing the hijack this log and the find all log...pppplease someone help me, I am about to revert to stone and chisel thxs Karen

 

 

Logfile of HijackThis v1.97.7

Scan saved at 1:43:14 AM, on 5/22/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\system32\Ati2evxx.exe

C:\WINNT\System32\cisvc.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe

C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe

C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe

C:\WINNT\LogWatNT.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINNT\system32\EtyapiOy.exe

C:\WINNT\system32\NlzBH.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\hijack\hijackthis[1]\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\fhpdaba.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\fhpdaba.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\fhpdaba.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\fhpdaba.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\fhpdaba.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\fhpdaba.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {1FBB5754-2DFF-4D43-93C8-F285EA5F0457} - (no file)

O4 - HKLM\..\Run: [36F4SAZ3QJAFKE] C:\WINNT\system32\YmxB.exe

O4 - HKLM\..\RunOnce: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" "+b1"

 

and this

 

 

 

--==***@@@ 'FIND-ALL' VERSION 6.1 -5/21 @@@***==--

 

 

Sat May 22 01:45:40 2004 -- Results:

*System Info:

 

Microsoft Windows 2000 [Version 5.00.2195]

C: "Local Disk" (7C29:6036) - FS:NTFS clusters:512

Total: 19 995 622 912 [19G] - Free: 15 067 545 088 [14G]

 

 

*IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q837009;Q832894;Q831167;

 

*Google Toolbar version and Attributes:

Defaults: "A" ;"R"

Path not found - C:\Program Files\google

Path not found - C:\Program Files\google

 

*UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"Q321120"=""

"ESB{FC5C6C50-B66F-4BCE-BBAE-57B4140BCBC0}"=""

 

 

*Wmplayer version:

9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

 

*M$Java version:

5.0.3810.0 C:\WINNT\System32\msjava.dll

 

 

*PC uptime:

1:45am up 0 days, 16:42

 

*Locked or 'Suspect' file(s) found...

\\?\C:\WINNT\System32\D3DNFML.DLL +++ File read error

\\?\C:\WINNT\System32\D3DNFML.DLL +++ File read error

Invalid search path

 

 

*Tasks (services):

0 System Process

8 System

160 SMSS.EXE

184 CSRSS.EXE Title:

204 WINLOGON.EXE Title: NetDDE Agent

240 SERVICES.EXE Svcs: Browser,Dhcp,dmserver,Dnscache,Eventlog,lanmanserver,lanmanworkstation,LmHosts,M

ssenger,PlugPlay,ProtectedStorage,seclogon,TrkWks,W32Time,Wmi

252 LSASS.EXE Svcs: Netlogon,PolicyAgent,SamSs

452 SVCHOST.EXE Svcs: RpcSs

484 spoolsv.exe Svcs: Spooler

556 ati2evxx.exe Svcs: Ati HotKey Poller

584 CISVC.EXE Svcs: cisvc

604 SVCHOST.EXE Svcs: EventSystem,Netman,NtmsSvc,RasMan,SENS,TapiSrv

644 InoRpc.exe Svcs: InoRPC

684 InoRT.exe Svcs: InoRT

704 InoTask.exe Svcs: InoTask

776 LogWatNT.exe Svcs: LogWatch

872 regsvc.exe Svcs: RemoteRegistry

896 mstask.exe Svcs: Schedule

972 SVCHOST.EXE Svcs: wuauserv

1072 explorer.exe Title: Program Manager

1428 IEXPLORE.EXE Title:

1208 EtyapiOy.exe Title:

1256 NlzBH.exe Title:

1544 IEXPLORE.EXE Title: SWI Forums -> Malware Removal - Microsoft Internet Explorer

1288 WINZIP32.EXE Title: WinZip - Find-All.zip

100 CMD.EXE Title: C:\WINNT\system32\cmd.exe

1396 NTVDM.EXE

1524 tlist.exe

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

"AppInit_DLLs"=""

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FBB5754-2DFF-4D43-93C8-F285EA5F0457}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{86C01FCC-EDA1-4F8A-86FC-ED45049DCEEB}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

"CLSID"="{86C01FCC-EDA1-4F8A-86FC-ED45049DCEEB}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

 

*Security settings for 'Windows' key:

 

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

AppInit_Dlls REG_SZ

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

*ACLs list for *.* in 'junk' folder: (if exist)

 

Error: Cannot open file [C:\junk\*.*]

*Contents of file(s) in 'junk' folder:

 

Sat May 22 01:45:47 2004 -- *Find-All 'Windows'.hiv list:

A C:\unzipped\Find-All\Find-All\winBackup.hiv

A C:\unzipped\Find-All\Find-All\windows.txt

A C:\FindallwinBackup.hiv

Share this post


Link to post
Share on other sites

Karen,

A couple of problems here .....

 

1) You also have another trojan running ...

2) Your HijackThis log is incomplete ...

 

1) Uninstall Peper Trojan

http://mjc1.com/files/scripts/drpeper.html

Note: make sure you are online when run, then reboot.

 

2) Post a fresh (complete) log

Share this post


Link to post
Share on other sites

thxs Win, I did what you suggested and here is a fresh post

 

Logfile of HijackThis v1.97.7

Scan saved at 10:33:30 AM, on 5/22/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\system32\Ati2evxx.exe

C:\WINNT\System32\cisvc.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe

C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe

C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe

C:\WINNT\LogWatNT.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINNT\system32\Itesz6x.exe

C:\WINNT\system32\Rnz8N.exe

C:\hijack\hijackthis[1]\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\cfc.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\cfc.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\cfc.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\cfc.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\cfc.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\cfc.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O4 - HKLM\..\Run: [36F4SAZ3QJAFKE] C:\WINNT\system32\Yfk8.exe

O4 - HKLM\..\RunOnce: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" "+b1"

 

Thxs Karen

Share this post


Link to post
Share on other sites

i also downloade reglite and tried to post the address as mentioned in other fixes and I get an error copying

Karen

Share this post


Link to post
Share on other sites

Karen,

Your log is still incomplete ....

 

Well let's try this anyway ... starting from the begining.

 

Tools and Downloads required:

 

Download: "Find-All.zip"

http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm

Unzip but do not do anything yet, it will be needed later.

 

Download: "SALAMAND.zip"

http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm

Unzip but do not do anything yet, it will be needed later.

 

Download and install: (freeware)

Registrar Lite: http://www.resplendence.com/reglite

 

Download: CWShredder

http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Unzip, but do not run it yet, it will be needed later.

 

Download: Ad-Aware

http://www.lavasoft.de/software/adaware/

Install, but do not run it yet, it will be needed later.

 

Download: SpyBot-Search & Destroy 1.3

http://majorgeeks.com/download2471.html

 

[step 1]

 

Hint: you may want to print this out to avoid mistakes.

 

Open Reglite, copy and paste the below into the address bar, hit "Go" button:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

 

Double-click the "AppInit_Dlls" entry (right pane)

Copy and paste in your next post the following fields:

-Size

-Value

Close Reglite

 

 

Next: Locate and double-click the (included in Find-All.zip) "Find-All.bat"

When completed, generates "output.txt"

Copy and Paste the entire contents of "output.txt" into your next post.

Share this post


Link to post
Share on other sites

Mike,

 

I am truly sorry I am begining to feel like a real idiot, I did as you suggested and got all of those programmes again. I was unable to copy your quote into reglite so typed it in and I didnt get anywhere where I could double click on AppInit_DLLs,

I got these folders

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Help

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\HTML Help

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ITStorage

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\\(default)

 

Now if I open Current Version undere a new window I get many folders and file and the only reference to DLL's is a folder called Shared DLL's

 

I have a new output Log not sure if its going to help

 

 

==***@@@ 'FIND-ALL' VERSION 7 -5/24 @@@***==--

 

 

Sun May 23 21:05:02 2004 -- Results:

*System Info:

 

Microsoft Windows 2000 [Version 5.00.2195]

C: "Local Disk" (7C29:6036) - FS:NTFS clusters:512

Total: 19 995 622 912 [19G] - Free: 15 021 566 464 [14G]

 

 

*IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q837009;Q832894;Q831167;

 

*Google Toolbar version and Attributes:

Defaults: "A" ;"R"

Path not found - C:\Program Files\google

Path not found - C:\Program Files\google

 

*UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"Q321120"=""

"ESB{FC5C6C50-B66F-4BCE-BBAE-57B4140BCBC0}"=""

 

 

*Wmplayer version:

9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

 

*M$Java version:

5.0.3810.0 C:\WINNT\System32\msjava.dll

 

 

*PC uptime:

9:05pm up 1 day, 11:44

 

*Locked or 'Suspect' file(s) found...

\\?\C:\WINNT\System32\D3DNFML.DLL +++ File read error

\\?\C:\WINNT\System32\D3DNFML.DLL +++ File read error

 

 

*Tasks (services):

0 System Process

8 System

160 SMSS.EXE

184 CSRSS.EXE Title:

204 WINLOGON.EXE Title: NetDDE Agent

240 SERVICES.EXE Svcs: AppMgmt,Browser,Dhcp,dmserver,Dnscache,Eventlog,lanmanserver,lanmanworkstation,L

Hosts,Messenger,PlugPlay,ProtectedStorage,seclogon,TrkWks,W32Time,Wmi

252 LSASS.EXE Svcs: Netlogon,PolicyAgent,SamSs

448 SVCHOST.EXE Svcs: RpcSs

480 spoolsv.exe Svcs: Spooler

552 ati2evxx.exe Svcs: Ati HotKey Poller

576 CISVC.EXE Svcs: cisvc

596 SVCHOST.EXE Svcs: EventSystem,Netman,NtmsSvc,RasMan,SENS,TapiSrv

640 InoRpc.exe Svcs: InoRPC

680 InoRT.exe Svcs: InoRT

700 InoTask.exe Svcs: InoTask

772 LogWatNT.exe Svcs: LogWatch

836 regsvc.exe Svcs: RemoteRegistry

864 mstask.exe Svcs: Schedule

940 SVCHOST.EXE Svcs: wuauserv

1052 explorer.exe Title: Program Manager

1240 IEXPLORE.EXE Title:

1296 realsched.exe Title: Notification Wnd for RNAdmin

1576 IEXPLORE.EXE Title: SWI Forums -> About Blank ....gonna scream - Microsoft Internet Explorer

1456 IEXPLORE.EXE Title: SWI Forums -> About Blank ....gonna scream - Microsoft Internet Explorer

1444 Itesz6x.exe Title:

344 Rnz8N.exe Title:

1564 rl.exe Title: Registrar

1268 WINZIP32.EXE Title: WinZip - Find-All.zip

1132 CMD.EXE Title: C:\WINNT\system32\cmd.exe

1460 NTVDM.EXE

1084 tlist.exe

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

"AppInit_DLLs"=""

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{76741787-C95A-4E5B-9979-731082E8A167}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{6298DB0D-2094-4CBB-BAA8-51135899F70F}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

"CLSID"="{6298DB0D-2094-4CBB-BAA8-51135899F70F}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

 

*Security settings for 'Windows' key:

 

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

AppInit_Dlls REG_SZ

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

*ACLs list for *.* in 'junk' folder: (if exist)

*Contents of file(s) in 'junk' folder:

 

Sun May 23 21:05:08 2004 -- *Find-All 'Windows'.hiv list:

A C:\unzipped\Find-All\Find-All\winBackup.hiv

A C:\unzipped\Find-All\Find-All\windows.txt

A C:\FindallwinBackup.hiv

 

 

I am feeling pretty useless at this point

Thxs Kar

Share this post


Link to post
Share on other sites

Hi,

I was unable to copy your quote into reglite

Why? that should Paste as all one line ... I just tried it again and it works fine.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

 

Even if you typed it in (exactly!) it will take you there. Or manually by clicking the "+" next to each section (left pane)

+HKEY_LOCAL_MACHINE

+SOFTWARE

+Microsoft

+Windows NT

>+CurrentVersion

>>Windows

 

Then the "AppInit_DLLs" entry should be in the right pane.

With the "Windows" key highlighted in the left pane. Then follow the above directions. You can do this!

{insert vote of confidence here}

Share this post


Link to post
Share on other sites

thanks for the vote of confidence....I followed your other instructions and just kept clicking away at the folders and viola.

 

-Size REG_SZ

-Value C:\WINNT\system32\d3dnfml.dll

 

 

thanks for your patience

 

 

Karen

 

and output text as follows

 

==***@@@ 'FIND-ALL' VERSION 7 -5/24 @@@***==--

 

 

Sun May 23 21:05:02 2004 -- Results:

*System Info:

 

Microsoft Windows 2000 [Version 5.00.2195]

C: "Local Disk" (7C29:6036) - FS:NTFS clusters:512

Total: 19 995 622 912 [19G] - Free: 15 021 566 464 [14G]

 

 

*IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q837009;Q832894;Q831167;

 

*Google Toolbar version and Attributes:

Defaults: "A" ;"R"

Path not found - C:\Program Files\google

Path not found - C:\Program Files\google

 

*UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"Q321120"=""

"ESB{FC5C6C50-B66F-4BCE-BBAE-57B4140BCBC0}"=""

 

 

*Wmplayer version:

9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

 

*M$Java version:

5.0.3810.0 C:\WINNT\System32\msjava.dll

 

 

*PC uptime:

9:05pm up 1 day, 11:44

 

*Locked or 'Suspect' file(s) found...

\\?\C:\WINNT\System32\D3DNFML.DLL +++ File read error

\\?\C:\WINNT\System32\D3DNFML.DLL +++ File read error

 

 

*Tasks (services):

0 System Process

8 System

160 SMSS.EXE

184 CSRSS.EXE Title:

204 WINLOGON.EXE Title: NetDDE Agent

240 SERVICES.EXE Svcs: AppMgmt,Browser,Dhcp,dmserver,Dnscache,Eventlog,lanmanserver,lanmanworkstation,L

Hosts,Messenger,PlugPlay,ProtectedStorage,seclogon,TrkWks,W32Time,Wmi

252 LSASS.EXE Svcs: Netlogon,PolicyAgent,SamSs

448 SVCHOST.EXE Svcs: RpcSs

480 spoolsv.exe Svcs: Spooler

552 ati2evxx.exe Svcs: Ati HotKey Poller

576 CISVC.EXE Svcs: cisvc

596 SVCHOST.EXE Svcs: EventSystem,Netman,NtmsSvc,RasMan,SENS,TapiSrv

640 InoRpc.exe Svcs: InoRPC

680 InoRT.exe Svcs: InoRT

700 InoTask.exe Svcs: InoTask

772 LogWatNT.exe Svcs: LogWatch

836 regsvc.exe Svcs: RemoteRegistry

864 mstask.exe Svcs: Schedule

940 SVCHOST.EXE Svcs: wuauserv

1052 explorer.exe Title: Program Manager

1240 IEXPLORE.EXE Title:

1296 realsched.exe Title: Notification Wnd for RNAdmin

1576 IEXPLORE.EXE Title: SWI Forums -> About Blank ....gonna scream - Microsoft Internet Explorer

1456 IEXPLORE.EXE Title: SWI Forums -> About Blank ....gonna scream - Microsoft Internet Explorer

1444 Itesz6x.exe Title:

344 Rnz8N.exe Title:

1564 rl.exe Title: Registrar

1268 WINZIP32.EXE Title: WinZip - Find-All.zip

1132 CMD.EXE Title: C:\WINNT\system32\cmd.exe

1460 NTVDM.EXE

1084 tlist.exe

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

"AppInit_DLLs"=""

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{76741787-C95A-4E5B-9979-731082E8A167}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{6298DB0D-2094-4CBB-BAA8-51135899F70F}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

"CLSID"="{6298DB0D-2094-4CBB-BAA8-51135899F70F}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

 

*Security settings for 'Windows' key:

 

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

AppInit_Dlls REG_SZ

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

*ACLs list for *.* in 'junk' folder: (if exist)

*Contents of file(s) in 'junk' folder:

 

Sun May 23 21:05:08 2004 -- *Find-All 'Windows'.hiv list:

A C:\unzipped\Find-All\Find-All\winBackup.hiv

A C:\unzipped\Find-All\Find-All\windows.txt

A C:\FindallwinBackup.hiv

Share this post


Link to post
Share on other sites

Hi,

[step 2]

 

Open Reglite, copy and paste the below into the address bar, hit "Go" button:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

 

(or do the above manually)

 

Rename the highlighted "Windows" key (left pane)

To rename: Right-click and select: Rename

(type) NoWindows

 

Next: Double-click "AppInit_DLLs" again (right pane)

Clear (delete) the "Value" containing the d3dnfml.dll and click "Apply", then Ok.

 

IMPORTANT: Rename the "NoWindows" key (left pane)

To rename: Right-click and select: Rename

(type) "Windows" (no quotes) and close Registrar Lite.

 

Next: Reboot, IMPORTANT: do not do anything else just reboot.

 

 

[step 3]

 

Open Salamand.exe included in "SALAMAND.zip"

Follow these menu options exactly as described:

 

Click the "Left" menu item (top left)

Select: "Change Drive", select: C:

 

Click the "Right" menu item (top right)

Select: "Change Drive", select: C:

 

Click the "Commands" menu item

Select: "Create Directory"

(type) junk and press Ok

 

Click the "Options" menu item

Select: "Command Line"

 

Click the "Commands" menu item

Select: "Change Directory"

(type) C:\WINNT\system32 and press Ok

 

Click the "Commands" menu item again

Select: "Find Files", then click the "Edit" button.

 

In the "Search for" box (type) d3dnfml.dll press Ok

Note: uncheck "include subdirectories" option

Press "Start" (bottom left)

 

On "file found" press "Focus" button

 

Next: click "Files" menu item (up top)

Select: "Move\Rename" (type) C:\junk and press Ok.

 

[step 4]

 

Locate: "xfix.bat" included in the Find-All.zip

 

Double click on it once, it should clean/restore the key.

(though nothing would appear to happen)

 

Run the "Find-All.bat" again and post the "output.txt" results.

Share this post


Link to post
Share on other sites

I have tried 4 X to post the ouput log and I get a Microsoft Windows error and it closes me out of the net

 

so I cant add it for some stupid reason

Share this post


Link to post
Share on other sites

Hi,

I have no idea why you got that error since you were able to post the same results before ... hmm? Well since you didn't mention whether things went well with the above steps, I'll post the rest of it ...

 

[step 5]

 

Open Salamand again

Click the "Left" menu item (top left)

Select: "Change Drive", select: C:

 

The bottom Address Bar should show: C:\>

 

Copy and Paste the following 2 commands, one at a time, press Enter.

Important: Close the prompt box after each command return.

Note: You should get (processed..) confirmation on first, and nothing on the second.

 

Command 1:

cacls %SYSTEMDRIVE%\junk\*.dll /t /e /g Administrators:f & cacls %SYSTEMDRIVE%\junk /t /e /g Administrators:f

 

Note: both of these lines in bold are all one line.

 

Command 2:

attrib -r \\?\%SYSTEMDRIVE%\junk\*.dll & ren \\?\%SYSTEMDRIVE%\junk\*.dll *.111

 

Close Salamand, open Windows Explorer and delete the C:\Junk folder.

 

Next, run CWShredder, Ad-Aware and\or SpyBot and post a fresh log.

Share this post


Link to post
Share on other sites

Hi someclue or anyone else who will take a moment to answer......

 

Have been reading your thread with interest as I too am having similar problems. I'm hoping you might be able to help me with a basic question (about forum procedure) as you seem to have figured it out already.

 

When you begin an exchange of dialogue (especially with one person like WinHelp 2002 has done for you), how does that person know you have responded to their response? A member responded to my initial posting and I simply then replied to that but does he know that I have replied? Is he flagged somehow that I have answered him (as I have elected to do by ticking-off yes to e-mail notification)?

 

Can you let me know the answer to this basic question which is impeding me getting my posting responded to.

 

Thanks so much. I will check on this thread to see if you have posted a reply.

 

showhost

Edited by showhost

Share this post


Link to post
Share on other sites

showhost,

To answer your question ... yes most of us hit the "Track this Topic" so we will know when someone has responded to the post. I looked at your log and posted a reply ...

Share this post


Link to post
Share on other sites

thanks so much for all your help I am sorry I wasnt able to get back to you. I think I have it all cleaned out but I still have that pepper trojan. t tried the link you gave me and I downloaded it and i get the following message: attempt to access invalid address

 

Not sure what that is about thxs Karen

Share this post


Link to post
Share on other sites

someclue,

but I still have that pepper trojan

Uninstall Peper Trojan

http://mjc1.com/files/scripts/drpeper.html

Note: make sure you are online when run, then reboot.

Then run it again and reboot ...

 

I'm not sure why you are getting an error? Were you "online" when you ran the program? or maybe a bad download? Try it again and let me know.

 

After the above and a reboot post a fresh log ...

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0